Password Health Check #3993

wolframroesler · 2019-12-08T16:06:13Z

Type of change

✅ New feature (non-breaking change which adds functionality)

Description and Context

This is the Health Check feature as discussed in #551.

"Password Health" panel in the new "Database -> Reports" dialog (together with the Statistics panel)
Password assessment (red/orange/yellow/green) according to entropy, re-use, and expiration (only red/orange/yellow are shown in table)
Short description that explains what's wrong with a password
More details in tool tip (entropy in bits, where else is it used, when did it expire)
Double-click entry to edit
Password assessment is available as a general-purpose class that can be (and is) used in other places of the software

Screenshots

Testing strategy

Tested manually, some unit tests added.

Checklist:

✅ I have read the CONTRIBUTING document. [REQUIRED]
✅ My code follows the code style of this project. [REQUIRED]
✅ All new and existing tests passed. [REQUIRED]
✅ I have compiled and verified my code with -DWITH_ASAN=ON. [REQUIRED]
✅ I have added tests to cover my changes.

src/core/PasswordHealth.h

src/gui/reports/ReportsWidgetHealthcheck.cpp

src/gui/reports/ReportsWidgetStatistics.cpp

wolframroesler · 2019-12-11T19:31:42Z

No idea what the problem with the Ubuntu TeamCity build is but I'm pretty sure it's unrelated to my code.

phoerious · 2019-12-11T20:04:31Z

Hmm. That must be the host that runs two agents. Somehow when I run two build agents on one machine, the second container has an incomplete configuration. Not sure why, though.

src/core/PasswordHealth.cpp

botanegg · 2019-12-13T18:33:06Z

I've tested on refs/pull/3993/merge (Merge c35a8e6 into 7b95867)
With -fsanitize=address -fno-omit-frame-pointer don't brings any errors

droidmonkey · 2020-01-06T03:09:31Z

Would like to squash all these commits, ok?

wolframroesler · 2020-01-06T11:13:51Z

@droidmonkey Squashing is fine by me, but please scan the comments first to check if there's anything worth keeping. I think I put the source URL of the health check icon somewhere.

4jNsY6fCVqZv · 2020-01-06T13:31:52Z

When I look at your screenshot, two questions come to mind:

Why should a password that was given an expiration date when the entry was created no longer be healthy? The quality of the password does not change after the expiration date.
What do positive results of the health check look like? Can you please give an example?

wolframroesler · 2020-01-07T13:07:05Z

@4jNsY6fCVqZv

Why should a password that was given an expiration date when the entry was created no longer be healthy? The quality of the password does not change after the expiration date.

It depends on the individual's interpretation of what it means that a password has expired. A common interpretation is "the password is no longer valid", either because the service requires it to be renewed after a certain time (and you may lose access if you fail to do so), or because you chose to change the password after a certain time for security reasons. In either case, even though expiration doesn't change the actual password quality (as defined by its entropy), the password is no longer "healthy" after it has expired.

What do positive results of the health check look like? Can you please give an example?

Health check only reports passwords that are not "healthy" (=that have an issue of some sort). "Positive" as in "all passwords are healthy, no action required" looks like this:

In a medical context that would actually be called a "negative" result, so I hope I understood your question correctly. You know, if you get tested for a disease, a "negative" test result (=no disease found) is "positive" (=good) for you, and vice-versa.

BTW, I kind of cheated, just added that message as a result of your question. Thanks for pointing it out.

4jNsY6fCVqZv · 2020-01-08T09:13:27Z

@wolframroesler
As for the second part of your answer, I agree with you as far as the medical point of view is concerned. Thank you for taking up my idea! And thanks for working on the feature!

EDIT Maybe it still needs a little styling. For example, a title line does not seem necessary to me. There is quite a lot of white space. And the hint "Hover over reason..." below the widget is probably not necessary either, right? Somehow I also find it strange that the sentence is completely left-aligned. With no space to the left. Do you have any ideas how to make this look more appealing?

the password is no longer "healthy" after it has expired.

For the first part: I would like a clearer solution here.
A password that has expired, for whatever reason, should perhaps be marked as such separately. It might not be functional anymore or it might want to be replaced by users at their own request after a given time. But in my understanding this does not mean that it deserves "red alert". This means that it has the same value as an insecure password, a password that has been assigned multiple times or even a leaked password, although it may still be completely functional and secure.

Could you imagine that expired passwords would simply be marked differently and users would instead be given the opportunity to renew it after a health check?

But the main window already shows this information, right?
So maybe it would be an idea to include only expired passwords in the health check if they also meet the criteria of insecurity. And on that basis be sorted into the color scale accordingly.

As an example from your screenshot "GitHub". It would suggest: "Weak password -> line break -> Password has expired". Additionally, it's crossed out, like in the main window, so there's a coherence here.

How do you feel about my idea?

droidmonkey · 2020-01-08T11:00:30Z

A simple checkbox would suffice: "Evaluate expired passwords"

wolframroesler · 2020-01-08T19:20:40Z

@4jNsY6fCVqZv Well, since the KeePass system has a data field named "expired" but doesn't define what what exactly it is supposed to mean, everyone's free to use their own definition, however the fact that entries with expired password are shown crossed out in the entry list indicates that there's some significance to it. Also, flagging expiration as a serious issue in Health Check was one of the initial requirements requested in this issue (see comments above).

I don't feel too good about making Health Check configurable. People may be thinking that everything's OK because of a clean Health Check, when in fact they just forgot about some check mark. Also, a check box for expired passwords is just the beginning, someone could have the idea of making the entire scoring system configurable, and I don't want to open that can of worms. (Well, not now, at least.)

Let's talk about actual use cases. What exactly are your criteria to set an expiration date for a password? (This is a question for everyone.)

Could you imagine that expired passwords would simply be marked differently and users would instead be given the opportunity to renew it after a health check?

You can do that already, double-clicking the line in Health Check puts you right into the entry editor. Marking expired passwords differently isn't so easy because how about passwords that are both expired and have poor entropy? The "Reason" column already says "password has expired", that's all the information people need IMHO.

droidmonkey · 2020-01-08T19:40:27Z

To me I set an expiration on an entry if it needs to be changed by that time, or actually expires at that time (eg, credit card).

I agree with your comments!

4jNsY6fCVqZv · 2020-01-09T08:51:03Z

@wolframroesler

My idea was not to make the health check configurable. It was:

So maybe it would be an idea to include only expired passwords in the health check if they also meet the criteria of insecurity. And on that basis be sorted into the color scale accordingly.
As an example from your screenshot "GitHub". It would suggest: "Weak password -> line break -> Password has expired". Additionally, it's crossed out, like in the main window, so there's a coherence here.

What do you say concerning my comments under "EDIT"?

As far as the use cases are concerned, I agree with @droidmonkey .
Usually, I will only set a specific expiration date for passwords if I know that a particular service is likely to expire at a certain point in time or will need to be renewed in some way around that time. In such a case, however, the default behavior of KeePassXC for expired passwords seems sufficient. Having an expired password for a service that no longer works in the password manager does not make it an "unhealthy" password for me.
Another use case I could imagine is to set an expiration date if I don't trust the service not to properly secure my secure passwords. Or if such a service does not allow really secure passwords due to strange character and length restrictions.
In the latter case, however, this would fit my suggested above: A password is only "unhealthy" if it has expired and at the same time is not secure (e.g. sufficient entropy).
A supposedly secure password should not be considered "unhealthy" just because it has expired.
And, to reiterate your advice about configurability: I would, of course, set this as default behavior. Not customizable.

wolframroesler · 2020-01-10T20:42:45Z

@4jNsY6fCVqZv

So maybe it would be an idea to include only expired passwords in the health check if they also meet the criteria of insecurity. [...] A supposedly secure password should not be considered "unhealthy" just because it has expired.

Well, if I'm about to lose access to a service because my password expires tomorrow, I consider that password "unhealthy" even if it has high entropy. In this regard I'd rather err on the side of caution and report it; also, the current behavior was explicitly requested in the requirements (see comments above).

It would suggest: "Weak password -> line break -> Password has expired".

Assuming that "It" is a typo and you meant "I would suggest", that's exactly how it's implemented now. However, crossing it out additionally would be visual overload IMHO.

phoerious · 2020-01-11T12:30:59Z

Perhaps we can add an "ignore" function to tell KeePassXC to not include certain entries in health reports?

droidmonkey · 2020-01-20T13:49:18Z

I squashed everything and will do a review for merging.

src/gui/DatabaseTabWidget.h

src/core/PasswordHealth.h

because it's consistent, not because it's nice. Fixes keepassxreboot#3993

We now have two classes, PasswordHealth to deal with a single password and HealthChecker to deal with all passwords of a database. Fixes keepassxreboot#3993

OLLI-S · 2020-01-26T11:15:23Z

Sorry if this question is a bit stupid, but when is this feature available in the KeePassXC Snapshot Builds (https://snapshot.keepassxc.org/latest/) ?
In "Database Settings" I see no "Health Check".

droidmonkey · 2020-01-26T12:33:20Z

When it is merged to the develop branch

droidmonkey · 2020-01-27T02:32:26Z

I made several substantive changes. One thing to note, the cache in HealthChecker is never used. We can get rid of it, the checking process is extremely fast even with my main database.

wolframroesler · 2020-01-27T19:39:32Z

One thing to note, the cache in HealthChecker is never used.

You're right. I'll remove it because YAGNI.

droidmonkey · 2020-01-27T21:41:37Z

As a point of reference please don't merge in develop to feature branches. We prefer to rebase on top of develop.

because it's consistent, not because it's nice. Fixes keepassxreboot#3993

We now have two classes, PasswordHealth to deal with a single password and HealthChecker to deal with all passwords of a database. Fixes keepassxreboot#3993

wolframroesler · 2020-01-30T20:18:53Z

One thing to note, the cache in HealthChecker is never used.

Removed the cache. I suggest you leave this commit un-squashed so we can recover the cache code in case we need it again in the future.

droidmonkey · 2020-01-30T20:48:26Z

Sure that is a good compromise.

Introduce a password health check to the application that evaluates every entry in a database. Entries that fail various tests are listed for user review and action. Also moves the statistics panel to the new Database -> Reports widget. Recycled entries are excluded from the results. We now have two classes, PasswordHealth to deal with a single password and HealthChecker to deal with all passwords of a database. Tests include passwords that are expired, re-used, and weak. * Closes keepassxreboot#551 * Move zxcvbn usage to a centralized class (PasswordHealth) and replace its usages across the application to ensure standardized interpretation of entropy calculations. * Add new icons for the database reports view * Updated the demo database to show off the reports

The way the class is currently being used, the cache never does anything (because evaluate is never invoked twice for the same entry), so according to YAGNI it has to go. Fixes keepassxreboot#551

Added - Custom Light and Dark themes [#4110, #4769, #4791, #4796, #4892, #4915] - Compact mode to use classic Group and Entry line height [#4910] - View menu to quickly switch themes, compact mode, and toggle UI elements [#4910] - Search for groups and scope search to matched groups [#4705] - Save Database Backup feature [#4550] - Sort entries by "natural order" and move lines up/down [#4357] - Option to launch KeePassXC on system startup/login [#4675] - Caps Lock warning on password input fields [#3646] - Add "Size" column to entry view [#4588] - Browser-like tab experience using Ctrl+[Num] (Alt+[Num] on Linux) [#4063, #4305] - Password Generator: Define additional characters to choose from [#3876] - Reports: Database password health check (offline) [#3993] - Reports: HIBP online service to check for breached passwords [#4438] - Auto-Type: DateTime placeholders [#4409] - Browser: Show group name in results sent to browser extension [#4111] - Browser: Ability to define a custom browser location (macOS and Linux only) [#4148] - Browser: Ability to change root group UUID and inline edit connection ID [#4315, #4591] - CLI: `db-info` command [#4231] - CLI: Use wl-clipboard if xclip is not available (Linux) [#4323] - CLI: Incorporate xclip into snap builds [#4697] - SSH Agent: Key file path env substitution, SSH_AUTH_SOCK override, and connection test [#3769, #3801, #4545] - SSH Agent: Context menu actions to add/remove keys [#4290] Changed - Complete replacement of default database icons [#4699] - Complete replacement of application icons [#4066, #4161, #4203, #4411] - Complete rewrite of documentation and manpages using Asciidoctor [#4937] - Complete refactor of config files; separate between local and roaming [#4665] - Complete refactor of browser integration and proxy code [#4680] - Complete refactor of hardware key integration (YubiKey and OnlyKey) [#4584, #4843] - Significantly improve performance when saving and opening databases [#4309, #4833] - Remove read-only detection for database files [#4508] - Overhaul of password fields and password generator [#4367] - Replace instances of "Master Key" with "Database Credentials" [#4929] - Change settings checkboxes to positive phrasing for consistency [#4715] - Improve UX of using entry actions (focus fix) [#3893] - Set expiration time to Now when enabling entry expiration [#4406] - Always show "New Entry" in context menu [#4617] - Issue warning before adding large attachments [#4651] - Improve importing OPVault [#4630] - Improve AutoOpen capability [#3901, #4752] - Check for updates every 7 days even while still running [#4752] - Improve Windows installer UI/UX [#4675] - Improve config file handling of portable distribution [#4131, #4752] - macOS: Hide dock icon when application is hidden to tray [#4782] - Browser: Use unlock dialog to improve UX of opening a locked database [#3698] - Browser: Improve database and entry settings experience [#4392, #4591] - Browser: Improve confirm access dialog [#2143, #4660] - KeeShare: Improve monitoring file changes of shares [#4720] - CLI: Rename `create` command to `db-create` [#4231] - CLI: Cleanup `db-create` options (`--set-key-file` and `--set-password`) [#4313] - CLI: Use stderr for help text and password prompts [#4086, #4623] - FdoSecrets: Display existing secret service process [#4128] Fixed - Fix changing focus around the main window using tab key [#4641] - Fix search field clearing while still using the application [#4368] - Improve search help widget displaying on macOS and Linux [#4236] - Return keyboard focus after editing an entry [#4287] - Reset database path after failed "Save As" [#4526] - Use SHA256 Digest for Windows code signing [#4129] - Improve handling of ccache when building [#4104, #4335] - macOS: Properly re-hide application window after browser integration and Auto-Type usage [#4909] - Auto-Type: Fix crash when performing on new entry [#4132] - Browser: Send legacy HTTP settings to recycle bin [#4589] - Browser: Fix merging browser keys [#4685] - CLI: Fix encoding when exporting database [#3921] - SSH Agent: Improve reliability and underlying code [#3833, #4256, #4549, #4595] - FdoSecrets: Fix crash when editing settings before service is enabled [#4332]

Envel-Nikita-Gutsenkov · 2020-07-09T19:48:19Z

Sorry if this question is a bit stupid, but when is this feature available in the KeePassXC Snapshot Builds (https://snapshot.keepassxc.org/latest/) ?
In "Database Settings" I see no "Health Check".

same question

varjolintu · 2020-07-09T19:49:30Z

Sorry if this question is a bit stupid, but when is this feature available in the KeePassXC Snapshot Builds (https://snapshot.keepassxc.org/latest/) ?
In "Database Settings" I see no "Health Check".

same question

It's under Database Reports.

wolframroesler force-pushed the feature/healthcheck branch from a22708d to 4c88902 Compare December 8, 2019 16:29